BUG: KASAN: slab-out-of-bounds in pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474 [inline] at addr ffff8801cd0f3798 BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3303 at addr ffff8801cd0f3798 Read of size 1280 by task syzkaller256823/3255 CPU: 0 PID: 3255 Comm: syzkaller256823 Not tainted 4.9.41-g72a8dae #22 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf830 ffffffff81d92609 ffff8801da0013c0 ffff8801cd0f3780 ffff8801cd0f3880 ffffed0039a1e708 ffff8801cd0f3798 ffff8801c71cf858 ffffffff8153c1bc ffffed0039a1e708 ffff8801da0013c0 0000000000000000 Call Trace: [<ffffffff81d92609>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81d92609>] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [<ffffffff8153c1bc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [<ffffffff8153c47c>] print_address_description mm/kasan/report.c:198 [inline] [<ffffffff8153c47c>] kasan_report_error mm/kasan/report.c:287 [inline] [<ffffffff8153c47c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [<ffffffff8153ca40>] kasan_report+0x20/0x30 mm/kasan/report.c:296 [<ffffffff8153b387>] check_memory_region_inline mm/kasan/kasan.c:308 [inline] [<ffffffff8153b387>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315 [<ffffffff8153b883>] memcpy+0x23/0x50 mm/kasan/kasan.c:350 [<ffffffff8356fa06>] pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474 [inline] [<ffffffff8356fa06>] pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3303 [<ffffffff833cac94>] xfrm_user_policy+0x244/0x390 net/xfrm/xfrm_state.c:1900 [<ffffffff83205ad7>] do_ip_setsockopt.isra.11+0x1977/0x2960 net/ipv4/ip_sockglue.c:1146 [<ffffffff83206afa>] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [<ffffffff83226792>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [<ffffffff82ed1245>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [<ffffffff82ece1e0>] SYSC_setsockopt net/socket.c:1771 [inline] [<ffffffff82ece1e0>] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [<ffffffff838a5985>] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801cd0f3780, in cache kmalloc-256 size: 256 Allocated: PID = 3255 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] xfrm_user_policy+0xa9/0x390 net/xfrm/xfrm_state.c:1889 do_ip_setsockopt.isra.11+0x1977/0x2960 net/ipv4/ip_sockglue.c:1146 ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 SYSC_setsockopt net/socket.c:1771 [inline] SyS_setsockopt+0x160/0x250 net/socket.c:1750 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff8801cd0f3700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801cd0f3780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cd0f3800: 00 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc ^